Privacy: Hotspot Shield, PureVPN, and ZenMate found to leak sensitive data
VPN tools have been in the headlines recently. Firstly, Facebook's Onavo VPN was found to be gathering user data, and then McAfee snapped up VPN firm TunnelBear. Now for users of Hotspot Shield, PureVPN and ZenMate, there's a warning: sensitive data such as your real IP address may be leaked.
A VPN company with a strong interest in privacy, vpnMentor, commissioned research into the three well-known tools, and problems were found in all of them. The developers were notified, but only HotSpot Shield has addressed the problems that were found.
- McAfee buys VPN firm TunnelBear
- Facebook Onavo VPN app gathers user data even when it is disabled
- If you're concerned about privacy, you might want to skip Facebook's VPN -- Onavo Protect
vpnMentor hired a team of ethical hackers who looked into the three VPNs. The three tools tested -- Hotspot Shield, PureVPN and ZenMate -- were all found to have problems that could compromise user privacy. While the problems with ZenMate were less severe than the other two VPNs, vpnMentor reports that "we regretfully found that all of them leak sensitive data."
Commenting on its research, the company said:
On the positive side, after we contacted the VPN vendors, we saw one that was fast to respond and release a patch within days. We are still waiting to hear from the other two VPN vendors, and have decided to publish the information in hope that they will hurry up and fix the underlying issues for the benefit of their users.
Hotspot Shield was found to have a trio of issues. CVE-2018-7879 meant that the Hotspot Shield Chrome extension could be used to hijack traffic, while CVE-2018-7878 leaked sensitive data. CVE-2018-7880 was the most serious, leaking the real IP address of users.
The company behind the VPN said:
The researchers hired by vpnMentor did not find any vulnerabilities in the mobile or desktop versions of Hotspot Shield. The vulnerabilities they reported were present only in the free Chrome plug-in. Neither mobile nor desktop users of the Hotspot Shield app were affected by these vulnerabilities. We appreciate and commend vpnMentor’s initiative to improve the security of consumer VPN applications, and look forward to seeing more research from their side involving more VPN products in the near future.
ZenMate VPN and PureVPN were found to have similar issues, but details are not being revealed yet due to the risk posed to users.
vpnMentor has some simple advice for those using the affected VPNs:
If you are a user of ZenMate or PureVPN, contact the support team and ask for the vulnerabilities to be fixed ASAP.
PureVPN has issued a statement, saying:
The Firefox browser, by default, has an inherent limitation where it makes it almost impossible to identify and differentiate remote and local hosts. Our intention was to allow users the freedom to access all local domains conveniently while using our extension.The tests that were carried out were not on PureVPN's latest Firefox extension build, since it has already been patched.The Firefox store clearly shows that our extension was last updated on March 07, 2018, and this update included the fix for the above mentioned issue.